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DETAILED ACTION 

1 . This Office Action is responsive to communications filed on December 1 , 2008. 
Claims 1, 3-4, and 6-45 are pending in the case. 

Information Disclosure Statement 

2. The information disclosure statement (IDS) submitted on February 17, 2009 is in 
compliance with the provisions of 37 CFR 1 .97. Accordingly, the information disclosure 
statement is being considered by the examiner. 

Response to Arguments 

3. Applicanf s arguments filed December 1, 2008 have been fully considered but 
they are not persuasive. 

In response to applicant's arguments against the references individually, one cannot show 
nonobviousness by attacking references individually where the rejections are based on 
combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re 
Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case, Eichstaedt is relied 
upon to show a method and system for monitoring connections transactions between multiple 
access requestors and an access provider at a switching component (col. 5: lines 32-39; and col. 
10: lines 34-43); and denying, at the switch, access by an attacking access requestors (col. 6: 
lines 43-61; and col. 12: lines 3-20). Short discloses the missing element, i.e., the switching 
element is a switch (comprising an access concentrator 16, a gateway device 12, a router 18, and 
a DHCP server 18; col. 6: line 37 - col. 7: line 24). 
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Claim Rejections - 35 USC §101 
4. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

Claims 15-37 are rejected under 35 U.S.C. 101 because the claimed invention is directed 
to non- statutory subject matter. 

As presented in the specification, page 5: lines 4-5 and page 6: lines 24-25, it would 
suggest to one of ordinary skill that all may be reasonably implemented as software routines, 
therefore, claims 15-37 are rejected as a system of software per se, failing to fall within a 
statutory category of invention. 



Claim Rejections - 35 USC § 103 

5. The text of those sections of Title 35, U.S. Code not included in this action can be 
found in a prior Office action. 

6. Claims 1, 3-4, 6-39 and 42-45 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Eichstaedt et al. (U.S. Patent No. 6,662,230), hereinafter Eichstaedt, in view of 
Short et al.(US 6,636,894), hereinafter Short. 

Regarding claims 1, 13, 15, 23, 25, 34, 38-39 and 45, as shown in Figures 1-6, Short 
discloses: 

monitoring a computer system for connection transactions between multiple requestors 
(12, 14, 16) and an access provider (21) at a switching component (22, 11) connected to the 
access provider and transfer data to and from the access providers (col. 5: lines 32-39; and col. 
10: lines 34-43); 
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denying, at the switching component, access by an attacking access requestor (16) to the 
access provider (21) when a number of connection transactions initiated by the attacking access 
requestor (e.g., request values) through the switch (1 1) exceeds a configurable threshold number 
(e.g., maximum request values) during a first configurable period of time (col. 6: lines 43-61; 
and col. 12: lines 3-20). 

Eichstaedt also discloses the monitoring includes detecting connection transactions 
between multiple Internet protocol addresses and the access provider with the switching 
component (Eichstaedt; col. 5: lines 32-39; and col. 7: lines 23-49). 

Eichstaedt does not explicitly teach the switching component is a switch and connected to 
access providers. 

As shown in Figure 1, Short teaches a switch (computer system 10 comprising an access 
concentrator 16, a gateway device 12, a router 18, and a DHCP server 18, all of which can be 
embedded within a switch; col. 6: line 37 - col. 7: line 24) providing multiple users (14) access 
to a plurality of networks (22 and 20; col. 6: line 9 - col. 7: line 24). 

It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to apply Short's method of providing multiple users access to a plurality of network 
providers in Eichstaedt' s system, motivated by the need of providing users access to the Internet, 
i.e., a worldwide, publicly accessible network of interconnected computer networks that transmit 
data, consisting of millions of smaller domestic, academic, business, and government networks. 



Regarding claim 3, Eichstaedt-Short also discloses the monitoring further includes 
counting, using the switch, and comparing the number of connection transactions initiated by the 
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access requestors to any of the access providers (e.g., request values) through the switching 
component (e.g., 22, 1 1) during the first configurable period of time (ti) to the configurable 
threshold (e.g., a comparison between the calculated request values and a predefined maximum 
value is made; Eichstaedt; col. 7: lines 5-49). 

Regarding claims 4, 16 and 26, Eichstaedt-Short also discloses: 

the monitoring further includes comparing, using the switch, the number of connection 
transactions initiated by the access requestors through the switch during the first configurable 
period of time to the configurable threshold number (e.g., a comparison between the calculated 
request values and a predefined maximum value is made during ti; Eichstaedt; col. 7: lines 5-49); 
and 

denying access by the attacking access requestor to the access providers includes 
denying, using the switch, access by the attacking access requestor to all of the access providers 
connected to the switch when the comparison results indicate that the number of connection 
transactions initiated by the attacking access requestor during the first configurable period of 
time exceeds the configurable threshold number (e.g., denying access after failing cumulative 
data check; Eichstaedt, col. 3: lines 3-38 and col. 9: line 2-53). 

Regarding claim 6, Eichstaedt-Short also discloses the monitoring further includes 
counting, using the switch, the number of connection transactions initiated to any of the access 
providers by the Internet protocol addresses during the first configurable period of time such that 
the number of connection transactions reflects a cumulative number of connection transactions 
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initiated to any of the access providers by the Internet protocol addresses (step 86, Figure 4; 
Eichstaedt, col. 8: line 56 - col. 9: line 15). 

Regarding claims 7, 17 and 27, Eichstaedt-Short also discloses the monitoring further 
includes: 

comparing, using the switch, the number of connection transactions initiated by the 
internet protocol addresses during the first configurable period of time to the configurable 
threshold number (e.g., a comparison between the calculated request values and a predefined 
maximum value is made during first frequency ti; Eichstaedt; col. 7: lines 5-49); and 

denying access by the attacking access requester to the access providers includes 
denying, using the switch, access by the attacking access requestor to all of the access providers 
connected to the switch when the comparison results indicate that the number of connection 
transactions initiated by the Internet protocol address associated with the attacking access 
requestor during the first configurable period of time exceeds the configurable threshold number 
(step 86, Eichstaedt; Figure 4, col. 8: line 56 - col. 9: line 15). 

Regarding claims 8, 18, and 28, Eichstaedt-Short also discloses the monitoring includes 
monitoring a computer system for connection transaction made using TCP (Short; col. 9: lines 
15-25). 
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Regarding claims 9, 19 and 29, Eichstaedt-Short also discloses the detecting includes 
identifying the IP addresses through the use of a header attached to a message representing the 
connection transaction being detected (Eichstaedt; Figure 4, col. 8: lines 39-55). 

Regarding claims 10-12, 20-22, and 30-33, Eichstaedt-Short also discloses that the 
denying of access includes denying access to the access providers through the switch (e.g., 22, 
1 1) by the attacking access requestor (e.g., 16) for a second configurable period of time (ti) after 
detecting a most recent connection transaction initiated by the attacking requestor through the 
switch (Eichstaedt; col. 4: lines 12-17, and col. 7: lines 31-49). 

Regarding claims 14, 24 and 35, Eichstaedt-Short also discloses the counting further 
comprises counting, using the switch, a cumulative number of connection transactions for all of 
the access providers connected to the switch initiated by each of the access requestors during the 
first configurable period of time (step 86, Figure 4; Eichstaedt, col. 8: line 56 - col. 9: line 15). 

Regarding claims 36, Eichstaedt-Short also discloses a host computer system (e.g., 21) 
receives communication from the switch (e.g., 22, 11; Eichstaedt, Figure 1). 

Regarding claims 37, Eichstaedt-Short also discloses the switch (e.g., 22, 1 1) is included 
in a host system (e.g., 21; Eichstaedt, Figure 1). 



Application/Control Number: 09/666, 1 40 Page 8 

Art Unit: 2456 

Regarding claim 42, Eichstaedt-Short also discloses: 

the access provides include a first access provider and a second access provide that 
different from the first access provider (20, 22; Short, Figure 1); 

monitoring for connection transactions between multiple access requestors and access 
providers using the switching component connected to the access providers includes: 

detecting, using the switch, a first number of connection transaction initiated by 

the attacking access requestor to the first access provider during the first configurable 

period of time (e.g., monitoring request frequency to a server for a specific chent 

identifier during ti; Eichstaedt; col. 7: lines 5-49), and 

detecting, using the switch, a second number of connection transactions initiated 

by the attacking access requestor to the second access provider during the first 

configurable period of time (e.g., monitoring request frequency to a server for a specific 

client identifier during ti; Eichstaedt; col. 7: lines 5-49), and 

denying access by the attacking access requestor to the access providers when the number 
of connection transactions initiated by the attacking access requestors through the switch exceeds 
the configurable threshold number during the first configurable period of time includes denying 
access by the attacking access requestor to both the first access provider and the second access 
provider when a sum of the first number of connection transactions and the second number of 
connection transactions exceeds the configurable threshold number (perform frequency check 
and cumulative data check, the client identifier fails and is rejected if the request value exceeds 
the predefined maxima; Eichstaedt; Figure 4, col. 8: line 56 - col. 9: line 53). 
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Regarding claim 43, Eichstaedt-Short also discloses: 

detecting, using the switch, the first number of connection transactions initiated by the 
attacking access requestor to the first access provider during the first configurable period of time 
includes detecting a first number of connection transactions that exceeds the configurable 
threshold number during the first configurable period of time (e.g., comparing the calculated 
request values and a predefined maximum value is made during ti, obviously the calculated 
request value could be any number, i.e., less than, equal or exceed the predefined maxima; 
Eichstaedt; col. 7: lines 5-49); 

detecting, using the switch, the second number of connection transactions initiated by the 
attacking access requestor to the second access provider during the first configurable period of 
time includes detecting zero connection transactions initiated by the attacking access requestor to 
the second access provider during the first configurable period of time (e.g., comparing the 
calculated request values and a predefined maximum value is made during ti, obviously the 
calculated request value could be any number, i.e., less than, equal or exceed the predefined 
maxima; Eichstaedt; col. 7: lines 5-49), and 

denying access by the attacking access requestor to both the first access provider and the 
second access provider when a sum of the first number of connection transactions and the second 
number of connection transactions exceeds the configurable threshold number includes denying 
access by the attacking access requestor to both the first access provider and the second access 
provider when the first number of connection transaction exceeds the configurable threshold 
number and the second number of connection transaction is zero (perform frequency check and 
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cumulative data check, the client identifier fails and is rejected if the request value exceeds the 
predefined maxima; Eichstaedt; Figure 4, col. 8: line 56 - col. 9: line 53). 

Regarding claim 44, Eichstaedt-Short also discloses: 

detecting, using the switch, the first number of connection transactions initiated by the 
attacking access request or to the first access provider during the first configurable period of time 
includes detecting a first number of connection transactions that is less than the configurable 
threshold during the first configurable period of time (e.g., comparing the calculated request 
values and a predefined maximum value is made during ti, obviously the calculated request value 
could be any number, i.e., less than, equal or exceed the predefined maxima; Eichstaedt; col. 7: 
lines 5-49); 

detecting, using the switch, a second number of connection transactions initiated by the 
attacking access requestor to the second access provider during the first configurable period of 
time includes detecting a second number of connection transactions that is less than the 
configurable threshold number during the first configurable period of time (e.g., comparing the 
calculated request values and a predefined maximum value is made during ti, obviously the 
calculated request value could be any number, i.e., less than, equal or exceed the predefined 
maxima; Eichstaedt; col. 7: lines 5-49), the sum of the first number of connection transactions 
and the second number of connection transactions exceeding the configurable threshold number 
(since log entries is based on client identifiers, it is obvious a cumulative request value from a 
client including connection transactions to all access providers; col. 6: lines 39-61); and 
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denying access by the attacking access requestor to both the first access provider and the 
second access provider when a sum of the first number of connection transactions and the second 
number of connection transactions exceed the configurable threshold number includes denying 
access by the attacking access requestor to both the first access provider and the second access 
provider when the sum of the first number of connection transactions and the second number of 
connection transactions exceeds the threshold number, even though neither the first number of 
connection transactions nor the second number of connection transactions exceeds the 
configurable threshold number (perform frequency check and cumulative data check, the client 
identifier fails and is rejected if the request value exceeds the predefined maxima; Eichstaedt; 
Figure 4, col. 8: line 56 - col. 9: line 53). 

7. Claims 40-41 are rejected under 35 U.S. C. 103(a) as being unpatentable over 
Eichstaedt, in view of Short, as applied to claim 39 above, and further in view of Lin et al (US 
6,751,668). 

Regarding claim 40, Eichstaedt-Short does not explicitly teach the establishment of a 
communication link between the attacking access requestor and one of the access providers 
involving exchange of more than two electronic messages. 

Lin discloses establishment of a communication link between the attacking access 
requestor and one of the access providers involving exchange of more than two electronic 
messages (e.g., SYN and SYN/ACK; Figure 1, col. 2: lines 2-9). 
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It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to utilize Lin's method of responding to service attacks in Eichstaedt- Short's system in 
order to limiting unwanted access to server data. 

Regarding claim 41, Eichstaedt-Short-Lin also discloses: 

determining, using the switch, that the second configurable time period, has passed 
without detecting a new connection transaction initiated by the attacking access requestor to any 
of the access providers through the switching component (e.g., monitoring the rate of receipt of 
session establishment; Lin, Figure 2: lines 30-43); and 

in response to determining at the second configurable time period has passed without 
detecting a new connection transaction initiated by the attacking access requestor to any of the 
access providers through the switching component, allowing access by an attacking access 
requestor to the access providers (e.g., monitoring the rate of receipt of session establishment is 
less that the MAX SESS RATE, the state machine moves back to the normal state 202; Lin, 
Figure 2: lines 30-43). 

Conclusion 

8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to VAN KIM T. NGUYEN whose telephone number is (571)272- 
3073. The examiner can normally be reached on 8:00 AM - 4:30 PM. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Bunjob Jaroenchonwanit can be reached on 571-272-3913. The fax phone number 
for the organization where this apphcation or proceeding is assigned is 571-273-8300. 

Information regarding the status of an apphcation may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Van Kim T. Nguyen 

Examiner 

Art Unit 2456 

vkn 

/Y asin M Barqadle/ 

Primary Examiner, Art Unit 2456 



